The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to
2.6.32.36 and fixes various bugs and security issues.

Following security issues were fixed:
CVE-2011-1493: When parsing the FAC_NATIONAL_DIGIS facilities field,
it was possible for a remote host to provide more digipeaters than
expected, resulting in heap corruption.

(no CVEs assigned yet): In the rose networking stack, when parsing
the FAC_CCITT_DEST_NSAP and FAC_CCITT_SRC_NSAP facilities fields,
a remote host could provide a length of less than 10, resulting in
an underflow in a memcpy size, causing a kernel panic due to massive
heap corruption. A length of greater than 20 results in a stack
overflow of the callsign array

CVE-2011-1093: A bug in the order of dccp_rcv_state_process() was fixed
that still permitted reception even after closing the socket. A Reset
after close thus causes a NULL pointer dereference by not preventing
operations on an already torn-down socket.

CVE-2011-1013: A signedness issue in drm_modeset_ctl() could be used
by local attackers with access to the drm devices to potentially
crash the kernel or escalate privileges.

CVE-2011-1082: The epoll subsystem in Linux did not prevent users
from creating circular epoll file structures, potentially leading to
a denial of service (kernel deadlock).

CVE-2011-0712: Multiple buffer overflows in the caiaq Native
Instruments USB audio functionality in the Linux kernel might have
allowed attackers to cause a denial of service or possibly have
unspecified other impact via a long USB device name, related to (1)
the snd_usb_caiaq_audio_init function in sound/usb/caiaq/audio.c and
(2) the snd_usb_caiaq_midi_init function in sound/usb/caiaq/midi.c.

CVE-2011-1182: Local attackers could send signals to their programs
that looked like coming from the kernel, potentially gaining privileges
in the context of setuid programs.

CVE-2011-1478: An issue in the core GRO code where an skb belonging to
an unknown VLAN is reused could result in a NULL pointer dereference.

CVE-2011-1476: Specially crafted requests may be written to
/dev/sequencer resulting in an underflow when calculating a size for a
copy_from_user() operation in the driver for MIDI interfaces. On x86,
this just returns an error, but it could have caused memory corruption
on other architectures. Other malformed requests could have resulted
in the use of uninitialized variables.

CVE-2011-1477: Due to a failure to validate user-supplied indexes in
the driver for Yamaha YM3812 and OPL-3 chips, a specially crafted
ioctl request could have been sent to /dev/sequencer, resulting in
reading and writing beyond the bounds of heap buffers, and potentially
allowing privilege escalation.

CVE-2011-0191: A information leak in the XFS geometry calls could be
used by local attackers to gain access to kernel information.

CVE-2011-1090: A page allocator issue in NFS v4 ACL handling that
could lead to a denial of service (crash) was fixed.

CVE-2010-3880: net/ipv4/inet_diag.c in the Linux kernel did not
properly audit INET_DIAG bytecode, which allowed local users
to cause a denial of service (kernel infinite loop) via crafted
INET_DIAG_REQ_BYTECODE instructions in a netlink message that contains
multiple attribute elements, as demonstrated by INET_DIAG_BC_JMP
instructions.

CVE-2010-4656: Fixed a buffer size issue in "usb iowarrior" module,
where a malicious device could overflow a kernel buffer.

CVE-2011-0521: The dvb_ca_ioctl function in
drivers/media/dvb/ttpci/av7110_ca.c in the Linux kernel did not check
the sign of a certain integer field, which allowed local users to cause
a denial of service (memory corruption) or possibly have unspecified
other impact via a negative value.

CVE-2011-1180: In the IrDA module, length fields provided by a peer
for names and attributes may be longer than the destination array
sizes and were not checked, this allowed local attackers (close to
the irda port) to potentially corrupt memory.

CVE-2010-4251: A system out of memory condition (denial of service)
could be triggered with a large socket backlog, exploitable by
local users. This has been addressed by backlog limiting.

CVE-2011-1573: Bounds checking was missing in AARESOLVE_OFFSET, which
allowed local attackers to overwrite kernel memory and so escalate
privileges or crash the kernel.

2) Solution or Work-Around

There is no known workaround, please install the update packages.

3) Special Instructions and Notes

Please reboot the machine after installing the update.

4) Package Location and Checksums

The preferred method for installing security updates is to use the YaST
"Online Update" module or the "zypper" commandline tool. The package and
patch management stack will detect which updates are required and
automatically perform the necessary steps to verify and install them.

Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command

rpm -Fhv <file.rpm>

to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.

Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:

SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.

To verify the signature of the announcement, save it as text into a file
and run the command

gpg --verify <file>

replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:

If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command

gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc

- Package authenticity verification:

SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.

The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command

rpm -v --checksig <file.rpm>

to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@xxxxxxx with the key ID 9C800ACA.

This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.

- SUSE runs two security mailing lists to which any interested party may
subscribe:

opensuse-security@xxxxxxxxxxxx
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security+subscribe@xxxxxxxxxxxx>.

opensuse-security-announce@xxxxxxxxxxxx
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security-announce+subscribe@xxxxxxxxxxxx>.

The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.

SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.